February 21st, 2006

Brad @ Burning Man

Our Cyberpunk Present: Script-Kiddie Botnets = Gangster Supercomputers (part 2)

The technology that's making it possible for Russian, Australian, and American mobsters to make huge money through hacker crimes is the bot-net. The first generation of this was called the "zombie PC" problem. In this older problem, a spammed trojan horse, Active-X web-based virus, or phished or spammed web page with known Windows security loopholes would sneakily install software onto your PC that would run at all times. Periodically it would check in with some central control point to collect tasks to perform: spam to send out, lists of other network addresses to try to hack, password dictionaries to reverse-lookup, fake web pages to temporarily host, or whatever. This was bad enough, but the Internet service provider (ISP) industry thought that the problem was manageable. In theory, Microsoft and other software vendors would plug the holes that were being used to brainwash the zombie PCs. Then the ISPs' various security departments could identify the few remaining zombies and shut down those customers' Internet access until they called it, got instructions from the ISP on how to patch their PCs, and then the problem would be solved.

This approach has failed miserably. The first reason why it failed is that it vastly under-estimated the number of security vulnerabilities in a modern computer; unless there are radical and invasive changes in the way the whole software industry runs, we will not see the last security vulnerability patched in our lifetimes. They also falsely believed that those security vulnerabilities were restricted to a relatively tiny number of points of failure; that if they could educate customers out of a relatively tiny list of high-risk behaviors, that the problem would be contained. You were probably told this yourself, as recently as in the last few months, including by me. It turns out to not be even vaguely true. The industry also failed to realize just how many desktop computers there are out there that are never, ever patched, and will therefore always be permanently vulnerable to automatic hijacking. But the most terrifying aspect of the problem is that having grossly underestimated the potential size of the problem, the potential number of zombies and the ease with which new zombies could be created, they also failed to scale up, in their heads, what the problem was going to look like as the number of zombie PCs increased.

We should have all seen this coming, because what organized crime has done is copy the model of one of the most famous and successful Internet projects of all time: SETI@home Classic. Started in 1994, by the time they ran out of funding for that phase of the project and shut it down last year they had over 5,000,000 personal computers on the Internet doing calculations for them, part time, on a processor-time-available basis (that is to say, whenever those people's computers weren't being run at 100% capacity). SETI@home Classic, like its current successor BOINC, collects parts of the job to be run from a central task distributor, runs on its own until its done, and then reports the results back. Why do this? Because five million 1 to 2 gigahertz Celeron, Pentium, and AMD chips, each of which has anywhere from a quarter-gigabyte to several gigabytes of RAM at its disposal, is a mind-boggling amount of computer power.

Well, what several organized crime gangs have realized is that if you're not especially picky about how you ask for permission to install something like BOINC, and given all the vulnerabilities in a modern PC, building a network the size of SETI@home is now pretty trivial. That kid in Oklahoma who was in the Washington Post story I linked to yesterday? He's just a short-term workaround for a part of the process that's only just barely not finished being automated, I'd guess from the network architecture involved. He earns his $80,000/year share of the gangsters' profits by checking in every day to see if there are any code changes or software patches to his zombie-creator software that he needs to install before running it again. There's no good reason why that network architecture needs him, any more; there's decreasingly any reason why the zombie botnets aren't big enough to do their own self-maintenance. The only remaining technical infrastructure issue is how to distribute the information. Right now, it uses human intervention by way of chat rooms, but everybody on both sides of the game knows that the actual software authors are working on adding peer-to-peer file-sharing network algorithms. Once that happens, guys like 0x80 are out of a job. The crime boss's tech staff will collect the latest software from their programmers, hand it to anybody to run on any PC anywhere in the world for a couple of minutes like some cheap disposable laptop from a car outside some public or unsecured WiFi hotspot, and once it finds any member of its own botnet, they'll spread it among themselves in less time than it takes 0x80 to do it. Once they get that part of the software debugged, you can pretty much give up on your technical solutions, unless you've got your own 5-million-or-more PC botnet to track them with.

What's more, we've only begun to see what can be done with a 5,000,000 node gangster botnet. The gangsters themselves are apparently constrained by their own limited imaginations. So far, all they've thought to do with them are:
  • Spam and Pop-Ups: The ISPs have gotten fast enough at shutting down larger spam servers that the vast majority of the spam on the Internet these days is coming out of zombie botnets. Some of that spam goes to semi-legitimate businesses, or at least businesses that are legal at the point at which the money is collected, like pr0n, online gambling, money laundering, and sale of prescription drugs without a license. Quite a bit of it, though, is aimed at tricking you into visiting web pages where the mere display of that web page is enough to take advantages of known security holes in the browser or the operating system to infect your machine with the zombie software itself. That is to say, there's no direct money in that spam, it's just about botnets propagating themselves.
  • Child Pr0nography: Some of that spam isn't to things that are legal, though, and some of the biggest bucks are in delivery of online pr0n that's illegal just about no matter where you're from, such as bestiality pr0n, rape pr0n, and kiddie pr0n. The botnets take care of every part of the operation, from running the servers' current temporary locations to spamming the advertising to running the payment authorizations. And under current US law, if your PC is part of that botnet, prosecutors don't have to prove that you intended it or even knew about it to lock you up for years, then make you register as a known sexual predator and registered child-sex offender for the rest of your mortal life. The only thing keeping thousands of Americans out of jail for this is a combination of prosecutorial discretion and limited law enforcement resources (and skill) for finding botnet PCs. Sleep well. Oh, and speaking of pr0n, don't forget how common the Peeping Tom fetish is, and consider that nearly every botnet construction kit automatically includes code to randomly grab snapshots from any connnected web-cam, even if you thought it was turned off, and collect them centrally. You might not want to leave yours plugged in when you're not using it and fully dressed. Fortunately, at the moment doing potential-pr0n-detection on the resulting images is labor intensive. But given sufficient computer power, it needn't be, and see below as to why that's not going to be much of an obstacle soon for the gangsters.
  • Denial-of-Service Extortion: If it weren't for the difficulty in collecting the extortion money, this one would be even more common; fortunately, actually collecting on this scam and getting away with it is much harder than the scam itself. Nonetheless, the botnets all include, in their basic code, the software to have every zombie on the botnet try to access the same Internet address at the same time, or even to run staggered, varied attacks over a longer time. The net result of this is to knock any address on the Internet out of service for a couple of hours or more. Could they use this to, oh, for example, shut down the parts of the credit card authorization system that connect to each other over the Internet down for 8 hours on the day after Thanksgiving? Absolutely. And one of these days, somebody who's bored, ready to cash out, and therefore willing to sacrifice his botnet to do so, will do so on a lark. Fortunately, as with virtually all blackmail schemes, it's often harder than you'd think to pick a victim who'll pay you and then not get bagged by the cops in the process of collecting it.
  • Bank Account Password Theft: All the virus construction toolkits these days include off-the-shelf software that waits for you to visit any of the web sites that the botnet told it to watch for, record the next hundred or so characters you type on your keyboard, and then forward those keystrokes to someone who can then use your PayPal account or Amazon account or credit card number, or create checks by phone or over the Internet, to order merchandise or transfer money. Hardly anybody uses it now, though, at least not for more than trivial amounts, because at the moment, the cops have toughened up world-wide to the point where you get nailed at the point where you collect the money or the merchandise. Or if not world-wide, certainly in any place that gangsters would be willing to live. I offer this example as a way of pointing out to you that even though next to nothing useful has been done on the technological end, the problem is being kept to very manageable levels by going after it at the money-collection end.
  • Stock Market Fraud: This one's the hot one, especially in the smaller and international exchanges. The easiest one of these consists of merely spamming out a lot of bogus stock tips, touting some stock you own that's currently worthless as "the next big thing;" wait for enough morons to buy it that they drive the price up, then sell yours. It's called "pump and dump." But bigger botnets enable the most breathtaking versions we've ever seen of an equally old, previously small-time scam: the newsletter scam.
I always adored the newsletter scam; I think it may be my all-time favorite version of the Long Con, the extended-duration confidence scam. It used to work like this. Buy a mailing list of, say, 4000 potential investors. Now print up 2000 copies each of the best-looking investment newsletter you can provide. Fill up the newsletter with perfectly legitimate wire-service stories, perfectly legitimate company press releases, and the same tired cliché "investment strategies" that every newsletter since the dawn of the industry has included. The relevant part is the front page above-the-fold headline. Pick a stock at random. Half of the newsletters predict, based on (non-existent) insider reports, that the stock will go up over the next 30 days. Half of them predict the opposite. Whichever one was wrong, throw that half of the mailing list away. Repeat two more times. Now you have a list of 500 people who know, from experience, that you can reliably predict stock price movements. Send them a 4th newsletter, saying that based on insider reports, on such and such a day, such and such a stock will rise fast. The day before, buy the stock. Once the price peaks, not only dump the stock, but short-sell it, since you know that the stock will tank once the news of the scam breaks, and double your money on the way down. Cash out fast and run. Now imagine running the newsletter scam via spam? To tens of millions of people at a time? In a world where not all of the global exchanges have the real-time detection software that the NYSE (and belatedly NASDAQ) uses to detect this scam, on exchanges where you don't have to risk blowing up a rare and valuable brokerage license to play?

But even this represents a failure of imagination. NASA uses less supercomputer power than that to run signal processing on every radio telescope in the world, looking for decodable signals. The NSA uses much, much less supercomputer power than that to decrypt enemy radio and cellphone signals. Given a plausibly large botnet, there isn't an encrypted communication or computer system in the world right now that these gangsters don't have the power to crack, not even the military ones. Oh, sure, we keep expanding key lengths, thinking that's going to buy us time. But what happens when the botnets branch out to every other device on the planet with a CPU chip and a communications interface, like your cellphone? And even when I worry about this, what I really worry about is that I'm having my own failure of imagination. The fact of the matter is that it's only been in the last year or two that computer scientists have begun to crack the generalized scheduling problem. I saw a videotaped college lecture by one of the chief engineers at Google, who was showing off the capabilities of the scheduler that distributes Gmail work, Google searches, web crawling, and so forth. Yes, it seemed very nice, but kind of boring; parallel processing has been around for decades. Then he explained that the algorithm used to divide the tasks up among available processors and network interfaces wasn't hand tuned to each task, that they have a generalized software algorithm that will analyze any well-written computer program and massively parallelize it, no matter what the program was intended to do. My jaw dropped. As recently as two years ago, I would have told you that was true-AI territory, a capability that was still decades out. The fact of the matter is that it is only just barely now possible to do things with zombie botnets that none of us have imagined. But it will be organized crime gangs that imagine it first, and do it; they're the ones who stand to make huge amounts of money doing it.

(This is running way, way too long. Tomorrow: Why what you're doing now almost certainly isn't working as well as some of you think, why it won't work at all pretty soon, what little you could be doing to buy yourself some time, why that won't work for very long, and what I think the world needs to be doing about this.)